From owner-freebsd-security  Mon Jun 24 21:43:49 2002
Delivered-To: freebsd-security@freebsd.org
Received: from patrocles.silby.com (d127.as20.nwbl0.wi.voyager.net [169.207.139.129])
	by hub.freebsd.org (Postfix) with ESMTP
	id 952A937B401; Mon, 24 Jun 2002 21:43:44 -0700 (PDT)
Received: from patrocles.silby.com (localhost [127.0.0.1])
	by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g5P4jtcv056103;
	Mon, 24 Jun 2002 23:45:55 -0500 (CDT)
	(envelope-from silby@silby.com)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g5P4jPGt056100;
	Mon, 24 Jun 2002 23:45:32 -0500 (CDT)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Mon, 24 Jun 2002 23:45:25 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Sean Kelly <smkelly@zombie.org>
Cc: Theo de Raadt <deraadt@cvs.openbsd.org>,
	Ted Cabeen <secabeen@pobox.com>,
	"Jacques A. Vidrine" <nectar@FreeBSD.ORG>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Hogwash
In-Reply-To: <20020625041946.GA6840@edgemaster.zombie.org>
Message-ID: <20020624233910.V55382-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Mon, 24 Jun 2002, Sean Kelly wrote:

> What percentage of people? As it has already been said, FreeBSD-STABLE
> still uses OpenSSH 2.9. The privsep features do not exist in this version,
> and you've not clarified whether this exploit will affect this version as
> well. All you've said is that everybody should upgrade now or turn it off.
> Neither of those options are that entirely helpful for a lot of us out here.

I think this thread needs to die very soon.  Theo's solution to this bug
is unorthodox, but it should serve to protect those who are willing to
upgrade.  He does not deserve all the bashing you're giving him.

Theo did miss one possible solution, though:  Buy ssh.com's ssh server.
If you find that you're not getting your $0 worth out of OpenSSH, you're
more than welcome to choose an alternate vendor.

In any case, this argument has no place on the FreeBSD security list; DES
is working on getting Priv Seperation working as we speak, and you'll be
able to upgrade in a day or two.  Please end this.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message